FROM node:20-alpine

# Install runtime dependencies
RUN apk add --no-cache \
        git \
        curl \
        ca-certificates \
        bash \
        ttyd

# Entrypoint used by the webui service (ttyd wrapping claude)
COPY --chmod=755 webui-entrypoint.sh /usr/local/bin/webui-entrypoint.sh

# Create non-root user
RUN addgroup -g 1000 claude \
    && adduser -u 1000 -G claude -s /bin/bash -D claude

# Install Claude Code globally (runs as root for npm -g, then drops)
RUN npm install -g @anthropic-ai/claude-code

# Workspace directory owned by claude user
RUN mkdir -p /workspace && chown claude:claude /workspace

USER claude
WORKDIR /workspace

# Proxy traffic through sidecar — override at runtime if needed
ENV HTTP_PROXY=http://proxy:3128
ENV HTTPS_PROXY=http://proxy:3128
ENV ALL_PROXY=http://proxy:3128
ENV NO_PROXY=localhost,127.0.0.1

ENTRYPOINT ["claude"]
